From 5941f95b00f9871436665d09891beafeac615a76 Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Sun, 19 Apr 2026 14:18:52 -0700
Subject: [PATCH] slight addition to pre key verification section

---
 hub/onboard-spoke.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hub/onboard-spoke.sh b/hub/onboard-spoke.sh
index e6d7b0e..03bd74e 100755
--- a/hub/onboard-spoke.sh
+++ b/hub/onboard-spoke.sh
@@ -81,6 +81,11 @@ KEY_PATH="$SSH_DIR/$KEY_NAME"
 mkdir -p "$(dirname "$RCLONE_CONF")"
 
 header "Checking Tunnel"
+info "Verifying spoke SSH service is reachable on port $TUNNEL_PORT..."
+# Test TCP connectivity first
+if ! timeout 5 bash -c "cat < /dev/null > /dev/tcp/localhost/$TUNNEL_PORT" 2>/dev/null; then
+  die "Cannot connect to port $TUNNEL_PORT on localhost — is the tunnel up?"
+fi
 info "Scanning spoke host key..."
 KEYSCAN=$(ssh-keyscan -p "$TUNNEL_PORT" -H localhost 2>/dev/null)
 [ -n "$KEYSCAN" ] || die "Spoke not reachable on port $TUNNEL_PORT — is the tunnel up?"
@@ -91,9 +96,6 @@ while IFS= read -r KEYSCAN_LINE; do
   fi
 done <<<"$KEYSCAN"
 
-info "Verifying spoke SSH service is reachable on port $TUNNEL_PORT..."
-info "Note: Password authentication should be enabled on the spoke for initial key setup."
-
 header "Generating Hub SSH Key"
 if [ -f "$KEY_PATH" ]; then
   warn "Key $KEY_PATH already exists, skipping generation."